Slashdot Mirror

← Back to Stories (view on slashdot.org)

None of Google's 85,000 Employees Have Been Phished in More Than a Year After Company Required Them to Use Physical Security Keys For 2FA (krebsonsecurity.com)

Posted by msmash on from the proving-useful dept.

Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity. From the report: Security Keys are inexpensive USB-based devices that offer an alternative approach to two-factor authentication (2FA), which requires the user to log in to a Web site using something they know (the password) and something they have (e.g., a mobile device). A Google spokesperson said Security Keys now form the basis of all account access at Google. "We have had no reported or confirmed account takeovers since implementing security keys at Google," the spokesperson said. "Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time." The basic idea behind two-factor authentication is that even if thieves manage to phish or steal your password, they still cannot log in to your account unless they also hack or possess that second factor.

1 of 126 comments (clear)

  1. 2FA finally by supernova87a · · Score: 5, Interesting

    It was this article that finally made me switch from SMS verification codes for my personal email (gmail): Wired article

    And I went to Google Authenticator only after I figured out how to put the same code on multiple devices and assure myself that I had enough backup hard copies of keys that I would not likely get locked out permanently should I ever lose my phone, etc.

    The U2F works great for corporate, etc. where you have a support team who can help you in case you lose it or forget anything. They can make you come in person and prove that you are you.

    The problem with implementing this (without enough backups) for personal is that if you ever lose all of your key info or code generator, you are absolutely fucked because there is no way to prove who you are to Google and have them reset your password / security. So you've got to have multiple backups in different places should your house ever burn down, etc.